Hackers target critical WordPress theme flaw - hundreds of sites at risk from potential takeover, find out if you're affected

WordPress logo on mobile
(Image credit: Shutterstock)

  • Alone – Charity Multipurpose Non-profit WordPress Theme has a 9.8/10 flaw
  • The bug allows crooks to create rogue admin accounts
  • More than 120,000 takeover attempts already blocked

The "Alone – Charity Multipurpose Non-profit WordPress Theme", a commercial theme used in many WordPress websites, contained a critical vulnerability that allowed threat actors to completely take over the website, experts have warned.

The WordPress theme, designed for charities, NGOs, and fundraising campaigns, features more than 40 ready-to-use demos, donation integration, and compatibility with Elementor and WPBakery.

According to Themetix, around 200 active WordPress sites are running this theme today.

Ongoing attacks

Wordfence researchers claim exploitation started on July 12, two days before the vulnerability was publicly disclosed. So far, the company blocked more than 120,000 exploitation attempts from almost a dozen different IP addresses.

In the attacks, the threat actors try to upload a ZIP archive with a PHP-based backdoor that grants them remote code execution capabilities, as well as the ability to upload arbitrary files. Crooks also used the flaw to deliver backdoors that can create additional admin accounts.

All versions up to 7.8.3 contained a vulnerability that allowed threat actors to upload arbitrary files, including malware that can create admin accounts. That way, crooks can completely take over websites and use them to host other malware, redirect visitors to other malicious pages, serve phishing landing pages, and more.

The vulnerability is now tracked as CVE-2025-4394, and has a severity score of 9.8/10 (critical). It was addressed in version 7.8.5, which was released on June 16, 2025. If you are using this theme, it would be wise to update it as soon as possible, since the bug is being actively exploited in the wild.

WordPress is generally considered a safe website builder platform, but third-party themes and plugins - not so much. That is why security pros advise WordPress users to only keep the plugins and themes they actively use, and to make sure they are always up to date.

Via The Hacker News

You might also like

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.